--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'WordPress Remote Code Execution' version: '1.0' number: '2019-004' date: 'February 21, 2019' --- _History:_ * _21/02/2019 --- v1.0 -- Initial publication_ # Summary A critical remote code execution vulnerability in versions of WordPress prior to 5.0.3 was disclosed. A flaw could be exploited by an attacker who gains access to an account with at least _author_ privileges on a WordPress install to execute arbitrary PHP code on the underlying server. # Technical Details The flaw is the chain of a **path traversal** and **local file inclusion** vulnerability that leads to remote code execution in the WordPress core and full remote takeover. Chaining the path traversal vulnerability with a local file inclusion flaw in theme directory could allow the attacker to execute arbitrary code on the targeted server. The implementation of a security measure in WordPress versions 5.0.1 and 4.9.9 prevented the exploitation of the flaw because it made impossible for unauthorized users to set arbitrary post meta entries. However, the path traversal issue is still unpatched even in the latest WordPress version, it can also be exploited in presence of installed 3rd-party plugins that incorrectly handles Post Meta entries [3]. # Products Affected The vulnerability explained was rendered non-exploitable by a security patch in versions 4.9.9 and 5.0.1. However, the path traversal is still possible and currently unpatched. Any WordPress site with a plugin installed that incorrectly handles post meta entries can make exploitation still possible. # Recommendations It is highly recommended to upgrade to WordPress version 5.0.3. This should prevent from exploiting the remote code execution vulnerability. However, the remaining path traversal vulnerability will be addressed only with the next release. # References [1] [2] [3]